ae774d29cb04152971f0ee8f3f06d6f5b8b77f84bd776366dad4685cd4567a68

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

srv.html
Size

12KB
MD5

7d02a4656feaf477fe181096c8537030
SHA1

a7eddf9d0e79d0820621ce35e91ac3180b220d5a
SHA256

ae774d29cb04152971f0ee8f3f06d6f5b8b77f84bd776366dad4685cd4567a68
SHA512

5a512563b18cb08805eb396931c3611c9390bc87dba76cbafdfcd4d9aec1265400689b47fa422a9cb749543e48f2a1496ef56c29ef59410b505bc04dfbd7b40d
SSDEEP

384:4Xwxzh/MNiHxCHv97Q5qh0bbtiZ5nF9bWzrPdy41E:4XcHU65ou0Z5nFFWzrPdy41E

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000057d75f0ac796fa06602d453f1cbeee8558730b29f755e339a5dee047fec76568000000000e8000000002000020000000b86074e2895afa34e4bf4355562a2a9557a7c3db3f9f34e52372f499f7d2fda52000000095dc4d55d4732c275fec847867eb918f9e150cb9e8adb5cdcad4b846ea8b91b84000000006668c2c7f323252ee0f1d2a923eb451752b6b80ca3d772fb95191548180c934e4e1152ada4525c99881cfe27d8b8d285f5df3cfd8ff6d1cd738b3329d56219e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d530a105e0d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000006c67741b5066dbc59f1a384661f3e1f2f74ffbde48b4369bf7425cbbfe7a5e8a000000000e8000000002000020000000afa45e183994d9ab0c0ea74ecd2ce208bd521bec936219ae6e906bbb751d702820000000c16e1c1ca11b7c63d4b6f0b976e2022f44d6222e76a931a6c3c292f661a2ee9f40000000bac44895a24dfdfab4adabdbf6cfd6a6672b2a2dd459568b852c8cb33f3db8840b920533e7afde7a398ec147199cc4f5ea9bb9d9cc3293673323c4e2c69a8c41	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000f2a42858fb75df3bf5e35172143be78f8622b20ee1a53f1f2e4b9bce91b8a808000000000e800000000200002000000086aefc4cb441b0c7bfd5a6d361657e7394c37c57879245ced4338cf38aac79ee20000000535eb11ac8b3bfebdc0c541d7d3fedfbfa8b3b44b7afacbadf97006a12814fe640000000a4caecc945df8b3792f9490f69ab08a4dd9ae8ec6fdafb64c527364b21527696a323374691a32f4b556be8595a707df5c449fa611eb929c8e95e2f096036b9c2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2379820394"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0fc45d205e0d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000fee68bb57d6b37ef36bd75358382d5f2cb7a58b69e640956ebc92fd7475d00ec000000000e800000000200002000000078bda46b1681d4856c4af98e0b7768855d4be446d81c20c70dadb2e413cce023200000006fc46f1ef0c28fafd9e92ed582717496b63c43f4310df88c72e441826f17d82040000000f81fd8eb9836f7acf5db3283e044f770c17c0e539cfc1fcfdb387fa9cbeef4813fff03bfb55db7f9ac87ce998c9f0c7af39242496e404fe1932b5cad5d77647f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2379820394"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372541689"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B81D12E0-4BF8-11ED-89AC-E62BBF623C53} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30990341"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30990341"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ec2aa205e0d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 006479bc05e0d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4676	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4676	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4676	iexplore.exe
4676	iexplore.exe
4864	IEXPLORE.EXE
4864	IEXPLORE.EXE
4864	IEXPLORE.EXE
4864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4864	4676	iexplore.exe	74
PID 4676 wrote to memory of 4864	4676	iexplore.exe	74
PID 4676 wrote to memory of 4864	4676	iexplore.exe	74

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\srv.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4676 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat

Filesize
8KB

MD5
af406d273b78ff708574756593a15146

SHA1
800276925348c2731eb62f105fa97fa9a5b2dab1

SHA256
334685e70a048502d011348e192e6212a9c75ec90a12eca04514eec33f023441

SHA512
efb5c36c3ed2429c9744ea61fb8d0957660e39f40a1cacfc21c36d89a06447a4bbebae6550f525c35e3887729d30cac9fc53e7251c57d7cb618780e2c8a66b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\favicon[2].ico

Filesize
14KB

MD5
08688ec246caa64b55f284a348008c48

SHA1
9d7196c2fdf65c05dbab8ab74c593a581d2f09b0

SHA256
fac5680d7feb5d6b0a4f4caa95868bf3b7a26c85699b2fc9ace6f96f40ab1dc1

SHA512
2f0e9a07a3ab5693438845895cb9ffbbfa4dce01e9340cf929d5ef4fdef25c3001bb264503a21b51fd4030da39f3857e2071c1c477cf888b6b9eb7f07b06e7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\favicon[1].ico

Filesize
7KB

MD5
21dfe1c3d1424af7dc63f2216d16871e

SHA1
4c8103880775e1be6ef6a8e7490c33a77fea70fa

SHA256
a2094fafab274c1dce798478b6f8ecce80f7fdfa6aa7eb88a625ce8c3dfe683c

SHA512
8b64fe9c85e04a6eb588a9fb74f964e2105b643638ad6a5f68691947a003e1c124a08549344589571baa22ea802a9f791e455ce088cf10b7f53b5011e154fe7b

Download Submit